---
url: 'https://www.corbado.com/blog/passkeys-ios-15'
title: 'Passkeys in iOS 15 '
description: 'Learn how passkeys work on iOS 15. Discover the importance of Touch ID and Face ID for WebAuthn and device-bound passkeys on iOS 15.'
lang: 'en'
author: 'Vincent Delitz'
date: '2024-06-17T15:23:48.168Z'
lastModified: '2026-03-25T10:00:32.657Z'
keywords: 'ios 15, device-bound passkeys ios 15, synced passkeys ios 15'
category: 'WebAuthn Know-How'
---

# Passkeys in iOS 15 

## Key Facts

- **iOS 15**, launched September 2021, introduced device-bound passkeys via platform
  authenticators. Without Touch ID or Face ID configured, users are limited to hardware
  security keys only.
- **Synced passkeys** were not available by default on iOS 15. Credentials remain
  device-bound for the device lifetime and cannot migrate to iCloud Keychain
  automatically.
- **Conditional UI** is unsupported on iOS 15 even with Touch ID enabled, distinguishing
  it from iOS 16+ where more advanced passkey discovery features are available.
- The **backupEligible (BE) and backupStatus (BS) flags** are both set to false on iOS 15,
  confirming platform authenticator credentials are ineligible for cloud sync.
- **iOS 15 market share** was only 5% in Q1 2024, making special handling less urgent but
  still necessary for a consistent cross-device authentication experience.

## 1. Introduction: Passkeys on iOS 15

[iOS](https://www.corbado.com/blog/webauthn-errors) 15, launched in September 2021, marked a significant
milestone in Apple's ongoing efforts to enhance user authentication security. While the
**support for WebAuthn had already made its debut in the iOS 14.5** update with support
for external hardware security keys (e.g. [YubiKeys](https://www.corbado.com/glossary/yubikey)),
[iOS](https://www.corbado.com/blog/webauthn-errors) 15 introduced a key development: the ability to create
[device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) / WebAuthn credentials with a
platform [authenticator](https://www.corbado.com/glossary/authenticator) (Touch ID or
[Face ID](https://www.corbado.com/faq/is-face-id-passkey)). These single-device credentials set the stage for the
more advanced, **synced passkeys that were introduced in iOS 16**. On
[iOS](https://www.corbado.com/blog/webauthn-errors) 15, though, the synchronization feature could have been
activated by going into the developer mode and turning it manually on.

For developers and product managers, understanding how passkeys operate on iOS 15 is
crucial, especially if an online service supports a heterogenous user base with devices
ranging from older models, that might be running on iOS 15, to the latest ones.

This blog post analyzes the specifics of WebAuthn and passkeys on iOS 15, exploring how
different configurations – such as having [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or
Touch ID / [Face ID](https://www.corbado.com/faq/is-face-id-passkey) turned on or off – affect the creation and
usage of passkeys.

The goal is to help provide a seamless and secure passkey experience, today in the era of
[iOS 17](https://www.corbado.com/blog/apple-passkeys-integration) (and
[iOS 18](https://www.corbado.com/blog/ios-18-passkeys-automatic-passkey-upgrades) recently presented), for all
users, regardless of the iOS version they are using.

## 2. Test Scenario: iPhone 7 with iOS 15.5

For our test scenario, we used an iPhone 7 running iOS 15.5. This device, equipped with a
Touch ID sensor, provided the environment to evaluate the functionality of WebAuthn and
[device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) on iOS 15.

To conduct our tests, we utilized [passkeys-debugger.io](https://passkeys-debugger.io) and
[webauthn.io](https://webauthn.io).

## 3. Touch ID / Face ID Needs To Be Set Up for Passkeys

One of the most critical settings for passkeys to function correctly on iOS 15 is the
setup of Touch ID / [Face ID](https://www.corbado.com/faq/is-face-id-passkey). This requirement differs from iOS
16+, where reliance on just the iOS passcode might suffice. In iOS 15, solely relying on
the passcode is insufficient for enabling passkeys and using platform
[authenticators](https://www.corbado.com/glossary/authenticator).

- **Without Touch ID / Face ID**: Users are limited to using
  [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g.
  [YubiKeys](https://www.corbado.com/glossary/yubikey)) and cross-platform
  [authenticators](https://www.corbado.com/glossary/authenticator).
- **With Touch ID / Face ID**: Users can use passkeys and the underlying platform
  [authenticator](https://www.corbado.com/glossary/authenticator).

If you want to test the creation and authentication with a passkey yourself, we have
prepared the settings for you accordingly. You just need to follow the link to the
[Passkeys Debugger](https://www.passkeys-debugger.io/):
[Passkey Creation](https://www.corbado.com/blog/passkey-creation-best-practices) & Passkey Authentication.

### 3.1 Touch ID / Face ID is Turned Off

When Touch ID / Face ID is turned off, our testing revealed significant limitations.

It’s only possible to create a WebAuthn credential on
[hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys). We checked for the
support of different Web Authentication API functions:

- WebAuthn support: yes
- [Platform authenticator](https://www.corbado.com/glossary/platform-authenticator) support: no
- [Conditional UI](https://www.corbado.com/glossary/conditional-ui) support: no

![iOs 15 passkeys touch id off](https://www.corbado.com/website-assets/ios_15_passkeys_touch_id_off_ad7c2d3d93.png)

### 3.2 Touch ID / Face ID is Turned On

Setting up Touch ID / Face ID unlocked
[device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) on iOS 15. These were not
synced, even though the [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) was activated. The
test for different Web Authentication API functions revealed the following:

- WebAuthn support: yes
- [Platform authenticator](https://www.corbado.com/glossary/platform-authenticator) support: yes
- [Conditional UI](https://www.corbado.com/glossary/conditional-ui) support: no

![iOs 15 passkeys touch id on](https://www.corbado.com/website-assets/ios_15_passkeys_touch_id_on_e007dd0c18.png)

Setting `attestation=direct` in the
[PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions)
provided an [attestation](https://www.corbado.com/glossary/attestation) statement from Apple. The corresponding
[AAGUID](https://www.corbado.com/glossary/aaguid) was `f24a8e70-d0d3-f82c-2937-32523cc4de5a`. This is quite
different to iOS 16+ where [attestation](https://www.corbado.com/glossary/attestation) is not provided by Apple
devices, no matter what the
[PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions) demand.
Besides, the `userPresent` and `userVerified` flags were set to true but
`backupEligible`(BE) and `backupStatus`(BS) were set to false.

Another core question now emerges: **is the created passkey a discoverable credential /
resident key or not?** To test the discoverability of the credential on the iOS 15 device,
we started a WebAuthn authentication ceremony without providing a username (and thus an
empty WebAuthn [allowCredentials](https://www.corbado.com/glossary/allowcredentials) list which was returned in
the [PublicKeyCredentialRequestOptions](https://www.corbado.com/glossary/publickeycredentialrequestoptions)), so
that we could see if stored passkeys were suggested for login. The following list of
passkeys was suggested, indicating that the passkeys are discoverable:

![WebAuthn login empty allow credentials](https://www.corbado.com/website-assets/webauthn_login_empty_allow_credentials_612fa13221.PNG)

WebAuthn credentials created using the
[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) (Touch ID, Face ID) in iOS 15
and earlier
[will not be converted to synced passkeys](https://passkeys.dev/docs/reference/ios/#legacy-credentials)
but will remain available as device-bound passkeys for the lifetime of the device.

## 4. Does the iCloud Keychain need to be enabled on iOS15?

During our tests, we didn’t see any difference, when the
[iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) was enabled or disabled. In any case, the
credential was a [device-bound passkey](https://www.corbado.com/blog/device-bound-synced-passkeys) (requiring
activated Touch ID / Face ID) which was not synced (this could have been changed in the
developer mode though).

## 5. Recommendation

Many developers and product managers might now face the question of how to handle iOS 15
devices when developing their passkey authentication solutions. From our extensive
experience in the passkeys space, we recommend consistently checking the BE/BS flags or
operating based on the iOS version (via
[user agent](https://www.corbado.com/blog/client-hints-user-agent-chrome-safari-firefox) or
[client hints](https://www.corbado.com/blog/client-hints-user-agent-chrome-safari-firefox)) to decide which
approach to take:

**Option A: Go for maximum passkey adoption**

- Test for platform authentication support via
  PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().
- If the check is true, proceed with passkeys, treating them like device-bound Windows 10
  passkeys without [Conditional UI](https://www.corbado.com/glossary/conditional-ui) support.
- If the check is false, fall back to an alternative authentication method, as iOS 15
  cannot be used as a CDA client.

**Option B: Avoid user frustration at all costs**

- Recognize that passkeys on iOS 15 are never synced, posing issues in recovery scenarios.
- Note that passkeys on iOS 15 cannot be stored in third-party password managers.
- To avoid user frustration, consider falling back to other authentication methods instead
  of using device-bound passkeys from iOS 15.

Overall, this decision is not critical given the low market share of iOS 15, which stood
at only 5% in Q1 2024. However, it is essential to be aware of this complexity and manage
it accordingly to maintain a smooth user experience.

## 6. Conclusion

Understanding the special characteristics of WebAuthn credentials / passkeys on iOS 15 is
important for developers and product managers aiming to provide a seamless user experience
across various devices.

Our tests with an iPhone 7 running iOS 15.5 revealed that setting up Touch ID is crucial
for enabling device-bound passkeys and getting support for platform
[authenticators](https://www.corbado.com/glossary/authenticator). Without Touch ID / Face ID, users are
restricted to [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) /
cross-platform authenticators. These insights help ensure robust and secure authentication
flows, even for users on older iOS versions.

## Frequently Asked Questions

### Does enabling iCloud Keychain on iOS 15 allow passkeys to sync across devices?

No. Testing showed no difference in behavior whether iCloud Keychain was enabled or
disabled on iOS 15. Passkeys remain device-bound in all cases, though sync could
technically be forced on by enabling developer mode manually.

### What happens to passkeys created on iOS 15 when a user moves to a newer device?

Passkeys created with a platform authenticator on iOS 15 will not be converted to synced
passkeys on newer iOS versions. They remain available only as device-bound credentials
tied to the original device for its lifetime.

### How should I handle iOS 15 devices when building a passkey authentication flow?

There are two strategies: maximize passkey adoption by testing for platform authenticator
support via PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() and
proceeding if true, or avoid user frustration entirely by falling back to other
authentication methods since iOS 15 passkeys cannot sync or be stored in third-party
password managers.

### Why does iOS 15 require Touch ID or Face ID for passkeys when iOS 16 can use a passcode?

On iOS 15, relying solely on a device passcode is insufficient to enable the platform
authenticator needed for passkey creation. iOS 16 relaxed this requirement, making the
biometric setup a strict prerequisite unique to iOS 15 and earlier.